Fwd: [NATURAL_DEFENCE] Who is Publishing NSA and CIA Secrets, and Why?

grarpamp grarpamp at gmail.com
Thu May 18 00:46:56 PDT 2017


So deep in ur base...


---------- Forwarded message ----------
From: ECOTERRA Intl. <office at ecoterra-international.org>
Date: Mon, May 15, 2017 at 7:31 AM
Subject: [NATURAL_DEFENCE] Who is Publishing NSA and CIA Secrets, and Why?
To: MAILHUB <mailhub at ecoterra.net>


Who is Publishing NSA and CIA Secrets, and Why?

By Bruce Schneier - May 15, 2017 - CRYPTO-GRAM

There's something going on inside the intelligence communities in at
least two countries, and we have no idea what it is.

Consider these three data points. One: someone, probably a country's
intelligence organization, is dumping massive amounts of cyberattack
tools belonging to the NSA onto the Internet. Two: someone else, or
maybe the same someone, is doing the same thing to the CIA.

Three: in March, NSA Deputy Director Richard Ledgett described how the
NSA penetrated the computer networks of a Russian intelligence agency
and was able to monitor them as they attacked the US State Department
in 2014. Even more explicitly, a US ally -- my guess is the UK -- was
not only hacking the Russian intelligence agency's computers, but also
the surveillance cameras inside their building. "They [the US ally]
monitored the [Russian] hackers as they manoeuvred inside the U.S.
systems and as they walked in and out of the workspace, and were able
to see faces, the officials said."

Countries don't often reveal intelligence capabilities: "sources and
methods."  Because it gives their adversaries important information
about what to fix, it's a deliberate decision done with good reason.
And it's not just the target country who learns from a reveal. When
the US announces that it can see through the cameras inside the
buildings of Russia's cyber warriors, other countries immediately
check the security of their own cameras.

With all this in mind, let's talk about the recent leaks at NSA and the CIA.

Last year, a previously unknown group called the Shadow Brokers
started releasing NSA hacking tools and documents from about three
years ago. They continued to do so this year -- five sets of files in
all -- and have implied that more classified documents are to come. We
don't know how they got the files. When the Shadow Brokers first
emerged, the general consensus was that someone had found and hacked
an external NSA staging server. These are third-party computers that
the NSA's TAO hackers use to launch attacks from. Those servers are
necessarily stocked with TAO attack tools. This matched the leaks,
which included a "script" directory and working attack notes. We're
not sure if someone inside the NSA made a mistake that left these
files exposed, or if the hackers that found the cache got lucky.

That explanation stopped making sense after the latest Shadow Brokers
release, which included attack tools against Windows, PowerPoint
presentations, and operational notes -- documents that are definitely
not going to be on an external NSA staging server.  A credible theory,
which I first heard from Nicholas Weaver, is that the Shadow Brokers
are publishing NSA data from multiple sources. The first leaks were
from an external staging server, but the more recent leaks are from
inside the NSA itself.

So what happened? Did someone inside the NSA accidentally mount the
wrong server on some external network? That's possible, but seems very
unlikely. Did someone hack the NSA itself? Could there be a mole
inside the NSA, as Kevin Poulsen speculated?

If it is a mole, my guess is that he's already been arrested. There
are enough individualities in the files to pinpoint exactly where and
when they came from. Surely the NSA knows who could have taken the
files. No country would burn a mole working for it by publishing what
he delivered. Intelligence agencies know that if they betray a source
this severely, they'll never get another one.

That points to two options. The first is that the files came from Hal
Martin. He's the NSA contractor who was arrested in August for
hoarding agency secrets in his house for two years. He can't be the
publisher, because the Shadow Brokers are in business even though he
is in prison. But maybe the leaker got the documents from his stash:
either because Martin gave the documents to them or because he himself
was hacked. The dates line up, so it's theoretically possible, but the
contents of the documents speak to someone with a different sort of
access. There's also nothing in the public indictment against Martin
that speaks to his selling secrets to a foreign power, and I think
it's exactly the sort of thing that the NSA would leak. But maybe I'm
wrong about all of this; Occam's Razor suggests that it's him.

The other option is a mysterious second NSA leak of cyberattack tools.
The only thing I have ever heard about this is from a Washington Post
story about Martin: "But there was a second, previously undisclosed
breach of cybertools, discovered in the summer of 2015, which was also
carried out by a TAO employee, one official said. That individual also
has been arrested, but his case has not been made public. The
individual is not thought to have shared the material with another
country, the official said." But "not thought to have" is not the same
as not having done so.

On the other hand, it's possible that someone penetrated the internal
NSA network. We've already seen NSA tools that can do that kind of
thing to other networks. That would be huge, and explain why there
were calls to fire NSA Director Mike Rogers last year.

The CIA leak is both similar and different. It consists of a series of
attack tools from about a year ago. The most educated guess amongst
people who know stuff is that the data is from an almost-certainly
air-gapped internal development wiki -- a Confluence server -- and
either someone on the inside was somehow coerced into giving up a copy
of it, or someone on the outside hacked into the CIA and got
themselves a copy. They turned the documents over to WikiLeaks, which
continues to publish it.

This is also a really big deal, and hugely damaging for the CIA. Those
tools were new, and they're impressive. I have been told that the CIA
is desperately trying to hire coders to replace what was lost.

For both of these leaks, one big question is attribution: who did
this? A whistleblower wouldn't sit on attack tools for years before
publishing. A whistleblower would act more like Snowden or Manning,
publishing immediately -- and publishing documents that discuss what
the US is doing to whom, not simply a bunch of attack tools. It just
doesn't make sense. Neither does random hackers. Or cybercriminals. I
think it's being done by a country or countries.

My guess was, and is still, Russia in both cases. Here's my reasoning.
Whoever got this information years before and is leaking it now has to
1) be capable of hacking the NSA and/or the CIA, and 2) willing to
publish it all. Countries like Israel and France are certainly
capable, but wouldn't ever publish. Countries like North Korea or Iran
probably aren't capable. The list of countries who fit both criteria
is small: Russia, China, and...and...and I'm out of ideas. And China
is currently trying to make nice with the US.

Last August, Edward Snowden guessed Russia, too.

So Russia -- or someone else -- steals these secrets, and presumably
uses them to both defend its own networks and hack other countries
while deflecting blame for a couple of years. For it to publish now
means that the intelligence value of the information is now lower than
the embarrassment value to the NSA and CIA. This could be because the
US figured out that its tools were hacked, and maybe even by whom;
which would make the tools less valuable against US government
targets, although still valuable against third parties.

The message that comes with publishing seems clear to me: "We are so
deep into your business that we don't care if we burn these
few-years-old capabilities, as well as the fact that we have them.
There's just nothing you can do about it." It's bragging.

Which is exactly the same thing Ledgett is doing to the Russians.
Maybe the capabilities he talked about are long gone, so there's
nothing lost in exposing sources and methods. Or maybe he too is
bragging: saying to the Russians that he doesn't care if they know.
He's certainly bragging to every other country that is paying
attention to his remarks. (He may be bluffing, of course, hoping to
convince others that the US has intelligence capabilities it doesn't.)

What happens when intelligence agencies go to war with each other and
don't tell the rest of us? I think there's something going on between
the US and Russia that the public is just seeing pieces of. We have no
idea why, or where it will go next, and can only speculate.

This essay was first published on Lawfare.com.
https://www.lawfareblog.com/who-publishing-nsa-and-cia-secrets-and-why

Ledgett:
https://www.washingtonpost.com/world/national-security/new-details-emerge-about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand-combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html

Shadow Brokers:
https://www.schneier.com/blog/archives/2016/08/major_nsaequati.html
https://www.schneier.com/blog/archives/2017/04/shadow_brokers_.html
https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

Snowden on Shadow Brokers:
https://twitter.com/Snowden/status/765514477341143040

Kevin Poulsen's speculation:
http://www.thedailybeast.com/articles/2017/04/20/is-there-a-russian-mole-inside-the-nsa-the-cia-or-both.html

Hal Martin:
https://www.washingtonpost.com/world/national-security/government-contractor-arrested-for-stealing-top-secret-data/2016/10/05/99eeb62a-8b19-11e6-875e-2c1bfe943b66_story.html
https://www.washingtonpost.com/world/national-security/ex-nsa-contractor-accused-of-massive-theft-is-a-collector-not-a-traitor-lawyers-say/2016/10/21/64ce85ea-97c8-11e6-bb29-bf2701dbe0a3_story.html

The second NSA leaker:
https://www.washingtonpost.com/world/national-security/pentagon-and-intelligence-community-chiefs-have-urged-obama-to-remove-the-head-of-the-nsa/2016/11/19/44de6ea6-adff-11e6-977a-1030f822fc35_story.html

Calls to fire NSA Director Mike Rogers:
https://www.washingtonpost.com/world/national-security/pentagon-and-intelligence-community-chiefs-have-urged-obama-to-remove-the-head-of-the-nsa/2016/11/19/44de6ea6-adff-11e6-977a-1030f822fc35_story.html

China:
https://www.wired.com/2015/09/us-china-reach-historic-agreement-economic-espionage/
http://www.npr.org/sections/parallels/2017/04/06/522764317/summit-between-chinas-xi-jinping-and-president-trump-comes-amid-tensions


____________________________________________________________

- Please send your feedback and comments to office[AT]ecoterra.de

All ECOTERRA Media and Disseminations are re-distributable under
Creative Commons Non-Commercial Share-Alike Licence, but kindly do not
take the ECOTERRA free mailing list services for granted! Become a
Friend of ECOTERRA and make a donation NOW to help keep ECOTERRA FREE
and INDEPENDENT

==============

Pro-active work to protect nature and human rights requires YOU to work with us

Even if you have no possibility to be at the front-lines with us,
please know we need independent funding.

PLEASE consider to support ECOTERRA's work through our trust fund.
Send your pledges to ecotrust[AT]ecoterra.net EVERY BIT COUNTS.

-------------------

ECOTERRA Intl.

SURVIVAL & FREEDOM for PEOPLE & NATURE

-----------------

Our full footer, being an essential, legal part of this dissemination,
can be found at
http://www.ecoterra.net/footer.htm
- please read it at least once a month to get important subscription
and security updates.

- please also ensure that our sender domains @ecoterra.net and
@ecoterra-international.org
are WHITELISTED with your e-mail account, programme and ISP to receive
your information safely.

To subscribe, un-subscribe or re-subscribe to most ECOTERRA
group-lists just go to
http://ccmail.ecoterra-international.org/ or send an e-mail to
mailhub at ecoterra.net.

----------------------

ECOTERRA Intl. nodes:
Canaries - Cairns - Cairo - Calgary - Cape Town - Cassel - Cebu - Cork -
Curitiba - La Paz - London - Los Angeles - Nairobi - Roma - Paris -
Reykjavik - Stuttgart - Wien - Vanuatu
ECOTERRA - FIRST PEOPLES & NATURE FIRST!
http://www.ecoterra-international.org
24 h EMERGENCY RESPONSE PHONE LINE: +49-177-235-908-1
Become a pro-ative-member of  fPcN-interCultural (write to friends of
Peoples close to Nature via collective at fpcn-global.org)
or of our Marine Group: http://www.ecop.info


More information about the cypherpunks mailing list